FedEx emails with new trojan variant


MX Lab intercepted a new campaign of FedEx emails that have a trojan attached to the message. The email is sent from the spoofed address “Fedex Support, Trisha Kimble” <kyeagl@fedex.com> – please note that the name of the person can change.

Possible subjects:

Fedex Invoice Copy N25524750
Fedex Item Status N4347526
Fedex Shipment Status N0919106
Fedex Tracking Number N7897143

The body of the email does not contains any text but only an embedded image.

The email has the attachment  FEDEXInvoiceEE438252OP.zip. The 36 kB large file FedexInvoice_EE776129.exe is extracted from the zip archive.

At the time of writing, only 8 of the 42 AV engines at Virus Total did detect the trojan. The trojan is known as W32/Agent.JBI (Authentium), Suspicious:W32/Malware!Gemini (F-Secure), TrojanDropper:Win32/Oficla.T (Microsoft), a variant of Win32/Kryptik.GHC (NOD32).

Virus Total permlink and MD5: 2587d5dc4b18e652532e556ac26f2290

5 Responses to FedEx emails with new trojan variant

  1. Antonio says:

    i just received a similar e mail with the same message. This time the zip file was 21kB:
    Fedex Item Status N7448417
    Fedex Invoice EE076263OP

    • Ell Blac says:

      i just received a email as well fed ex stating your fed ex package was not delivered the item # was N1150628 and i could not open the file??? it did not have a invoice #

  2. Jim Bob says:

    We have been getting these emails all week now.

    Virus: a variant of Win32/Kryptik.GIP trojan
    Sender: khosack@fedex.com
    Original subject: Fedex Shipment Status N7439458
    Engine: NOD32 on 1-224
    Engine ID: {5EB45DE3-DE3B-465B-AFDF-69E7CEBA0608}

    The E-mail containing the virus or vulnerability has been quarantined to help protect your network.

  3. lisa says:

    i got the fedex email today, a ups one yesteday. i spammed both of them, i have been getting these emails for months, dhl, ups and fedex, i keep spamming them, but they keep coming through

  4. Pingback: 'Fedex Tracking Number N….' mit Anhang 'FedexInvoice_…exe' ... ScareWare.de

Follow

Get every new post delivered to your Inbox.

Join 299 other followers

%d bloggers like this: